The best 30-second investment you’ll make all day

Familiar with Fantage? If you have kids, they probably are. It’s a MMORPG – a massively multiplayer online role-playing game – where millions of children customize avatars to play online games in a virtual world. According to the FTC, there are a few more initials this MMORPG will want to be mindful of in the future: the U.S.-EU Safe Harbor Framework.

Following up on a dozen cases announced last month, the FTC just settled a lawsuit charging that Fantage claimed to be in compliance with the U.S.-EU Safe Harbor Framework, but had lets its certification lapse. The Framework gives U.S. companies a cost-effective, streamlined way to satisfy certain requirements of the European Commission’s Directive on Data Protection. To remain in good standing, a company must self-certify every year to the U.S. Department of Commerce that it’s in compliance.

The program is voluntary, but if you say (or imply) that you’re a participant, your company must honor that annual self-certification. That’s where the FTC says Fantage fell short. According to the complaint, Fantage submitted a self-certification in June 2011 and since then has said on its website, “. . . we follow the privacy principles of the U.S.-EU Safe Harbor Framework.” The trouble is that it didn’t recertify after that – rendering that claim false.

To settle the case, Fantage has agreed that it won’t misrepresent its membership in any government, self-regulatory, or standard-setting program related to privacy or security, including the U.S.-EU Safe Harbor Framework.

Now for that 30-second investment. Be an in-house hero and check what your company says expressly or by implication about participation in the Safe Harbor Framework. (Your privacy policy is a good place to start.) If you're in compliance, mark your scheduler for your company's next annual self-certification. If not, you have two choices: Re-certify or remove the false claim. Visit the FTC’s U.S.-EU Safe Harbor Framework page for important links and background information.

Interested in commenting about the proposed settlement? File online by the March 13, 2014, deadline.

Comments

This is an insufficient action. The commission should have raised larger questions about the inadequacy of the current Safe Harbor regime, as reflected in this case. There's more problems here than simply a failure to renew certification status. If the commission is to be taken seriously on Safe Harbor, it will need to demonstrate a willingness to get to the bottom of the problem. This case should be viewed by EU consumers as an example of why the current Department of Commerce/FTC approach--even if bolstered in response to the E. Commission's recommendations--cannot be relied on to give meaningful data protection to EU users.

Add new comment

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.